Former secretary of defense Leon Panetta once described cyber warfare as “the most serious threat in the twenty-first century,” capable of destroying our entire infrastructure and crippling the nation.

Already, major cyber attacks have affected countries around the world: Estonia in 2007, Georgia in 2008, Iran in 2010, and most recently the United States. As with other methods of war, cyber technology can be used not only against military forces and facilities but also against civilian targets. Information technology has enabled a new method of warfare that is proving extremely difficult to combat, let alone defeat.

And yet cyber warfare is still in its infancy, with innumerable possibilities and contingencies for how such conflicts may play out in the coming decades. Brian M. Mazanec examines the worldwide development of constraining norms for cyber war and predicts how those norms will unfold in the future. Employing case studies of other emerging-technology weapons—chemical and biological, strategic bombing, and nuclear weaponry—Mazanec expands previous understandings of norm-evolution theory, offering recommendations for U.S. policymakers and citizens alike as they grapple with the reality of cyber terrorism in our own backyard.

Cyberspace operations have a far-reaching, permanent impact on military operations. At the conceptual level, the U.S. Department of Defense (DoD) now recognizes five warfighting domains: land, maritime, air, space, and cyber.1 While there are examples of how cyberspace support to military operations have advanced over the past decade, one gap has not been addressed in detail—operational planning.

One operation, one mission, yet it requires a myriad of extraordinary experts—each unique and each integral to an RPA operation that depends on well over a hundred individual commercial and military network connections, dozens of integrated hardware systems, miles of fiber-optic cable, significant satellite bandwidth, and millions of lines of software code. Welcome to the cyber domain: an environment of intellect, integration, and, for good as well as ill, complex interdependency.

Terrorists are known to use the Internet for communications, planning, recruitment, propaganda, and reconnaissance. They have shown interest in carrying out cyberattacks on U.S. critical infrastructures, although no such serious attacks are known publicly to have occurred. The discovery of the Stuxnet malware in July 2010, and its analysis over the next several months, was widely believed to have been a landmark event in cybersecurity, because it showed that cyberattacks against industrial control systems, hypothesized for a long time, are actually possible. After Stuxnet, there were public concerns that terrorists might be encouraged to acquire capabilities for similar cyberattacks.

This monograph examines cyberterrorism before and after Stuxnet by addressing questions of:

2. Means—Are terrorists building capabilities and skills for cyberattacks?

3. Opportunity—How vulnerable are U.S. critical infrastructures?

It is noted that no serious cyberterrorism attacks have occurred after Stuxnet. This can be explained from a cost-benefit perspective that has not changed since Stuxnet. It can be argued that U.S. policies can really address vulnerabilities only by strengthening defenses of critical infrastructures.

Achieving global cyber superiority or global cyber control by any organization is no longer technically possible. Instead, the proper overarching objective should be dominance of one or more of the elements of cyberspace of most importance to the organization at any given time.1 The successful nation is the one that achieves and maintains strategic and tactical dominance in its critical elements of cyberspace when required.2 Two important questions related to the strategic aspects of cyber conflict are: what should be the basic technological building block(s) for strategic cyber defense to assure dominance of one’s own critical elements of cyberspace, and what are the classes of strategic data target(s) strategic cyber defense must protect?

The ability to retaliate against cyber attackers—irrespective of the legalities of such actions—appears to have gained traction in the United States government, but is it a practical response for achieving tactical and strategic objectives in cyberspace? Attribution limitations, collateral damage considerations, the Internet’s global archi- tecture, and potential event escalation make the challenges of engaging in active cyber defense an ineffective course of action destined to achieve limited tactical successes at best; and it risks accelerating digital as well as physical conflict. Too many variables prevent active cyber defense deter- ring or punishing adversaries in cyberspace. For that reason, this article advocates a more productive solution—aggressive cyber defense—to frustrate attackers via nondestructive or damaging activities.

As international scrutiny remains focused on the Islamic Republic of Iran’s nuclear program, a capability is developing in the shadows inside Iran that could pose an even greater threat to the United States. The 2010 National Security Strategy discusses Iran in the context of its nuclear program, support of terrorism, its influence in regional activities, and its internal problems. There was no mention of Iran’s cyber capability or of that ability to pose a threat to U.S. interests. This is understandable, considering Iran has not been a major concern in the cyber realm. Furthermore, Russia and China’s cyber activities have justifiably garnered a majority of attention and been widely reported in the media over the past decade. Iran’s cyber capabilities have been considered third-tier at best. That is rapidly changing. This report discusses the growing cyber capability of Iran and why it poses a new threat to U.S. national interests.

Outer space has enjoyed two decades of fairly peaceful development since the Cold War, but once again it is becoming more competitive and contested, with increased militarization. Therefore, it is important the United States maintain its space superiority to ensure it has the capabilities required by modern warfare for successful operations. Today is different from earlier periods of space development,1 because there is not a blatantly overt arms race in space,2 but instead a covert challenge to US interests in maintaining superiority, resilience, and capability. A finite number of states consider themselves geopolitical actors; however, as long as the United States maintains space superiority, they must play according to a set of rules written without their consent and forced upon them. US space assets monitor the actions of authoritarian regimes and their pursuit of regional influence—a practice these regimes find quite disturbing. Therefore, any degradation or limitation of US space-borne capabilities would be seen as a successful outcome for such regimes. Cyber warfare offers these adversarial actors the opportunity to directly or indirectly destroy US space assets with minimal risk due to limited attribution and traceability. This article addresses how they might accomplish this objective. We must begin by examining US reliance on space before focusing on space clutter and the means an adversary might use to exploit it. While satellite protection is a challenge, there are several solutions the United States should consider in the years ahead.

Georgian-Russian hostilities in South Ossetia have generated a substantial amount of analysis and speculation regarding the accompanying cyber conflict.5 Most of the focus has centered on identifying the parties who conducted the cyber attacks. The Georgian cyber event provides an intriguing opportunity to examine a more subtle and perhaps overlooked aspect of cyber conflict—the concept of cyber neutrality. The Georgian case raises two fundamental questions: (1) How did the combined actions of the Georgian government and US information technology (IT) companies impact American status as a cyber neutral? (2) Can the United States remain neutral (or cyber neutral) during a cyber conflict?